diff --git a/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index 59386f7de22..1fb11dc9303 100644 --- a/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -5,7 +5,49 @@ featureGates: - KMSEncryptionProvider tests: onCreate: - - name: Should be able to create encrypt with KMS for AWS with valid values + - name: Should be able to create encrypt with KMS for Manual provider with valid name + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Manual + name: my-kms-plugin + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + encryption: + type: KMS + kms: + type: Manual + name: my-kms-plugin + - name: Should fail to create KMS Manual provider without name + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Manual + expectedError: "name is required when kms provider type is Manual" + - name: Should fail to create KMS Manual provider with empty name + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Manual + name: "" + expectedError: "name is required when kms provider type is Manual" + - name: Should be able to create KMS with AWS provider and valid aws config initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -15,7 +57,7 @@ tests: kms: type: AWS aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a + keyARN: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ab12-cd34-ef56-abcdef123456 region: us-east-1 expected: | apiVersion: config.openshift.io/v1 @@ -28,9 +70,9 @@ tests: kms: type: AWS aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a + keyARN: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ab12-cd34-ef56-abcdef123456 region: us-east-1 - - name: Should fail to create encrypt with KMS for AWS without region + - name: Should fail to create KMS AWS provider without aws config initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -39,32 +81,30 @@ tests: type: KMS kms: type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - expectedError: "spec.encryption.kms.aws.region: Required value" - - name: Should not allow kms config with encrypt aescbc + expectedError: "aws config is required when kms provider type is AWS" + - name: Should fail to create KMS with invalid provider type initial: | apiVersion: config.openshift.io/v1 kind: APIServer spec: encryption: - type: aescbc + type: KMS kms: - type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: us-east-1 - expectedError: "kms config is required when encryption type is KMS, and forbidden otherwise" - - name: Should fail to create with an empty KMS config + type: InvalidType + name: my-plugin + expectedError: "supported values: \"AWS\", \"Manual\"" + - name: Should fail to create KMS Manual provider with name longer than 80 characters initial: | apiVersion: config.openshift.io/v1 kind: APIServer spec: encryption: type: KMS - kms: {} - expectedError: "spec.encryption.kms.type: Required value" - - name: Should fail to create with kms type AWS but without aws config + kms: + type: Manual + name: this-is-a-very-long-name-that-exceeds-the-maximum-allowed-length-of-eighty-characters-for-kms-plugin + expectedError: "Too long: may not be more than 80 bytes" + - name: Should fail to create KMS Manual provider with name containing forward slash initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -72,9 +112,10 @@ tests: encryption: type: KMS kms: - type: AWS - expectedError: "aws config is required when kms provider type is AWS, and forbidden otherwise" - - name: Should fail to create AWS KMS without a keyARN + type: Manual + name: invalid/path + expectedError: "name must be a safe socket filename (must not contain '/' or '..')" + - name: Should fail to create KMS Manual provider with name containing double dots initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -82,11 +123,10 @@ tests: encryption: type: KMS kms: - type: AWS - aws: - region: us-east-1 - expectedError: "spec.encryption.kms.aws.keyARN: Required value" - - name: Should fail to create AWS KMS with invalid keyARN format + type: Manual + name: ../escape + expectedError: "name must be a safe socket filename (must not contain '/' or '..')" + - name: Should fail to create KMS Manual provider with name containing double dots in middle initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -94,12 +134,30 @@ tests: encryption: type: KMS kms: - type: AWS - aws: - keyARN: not-a-kms-arn - region: us-east-1 - expectedError: "keyARN must follow the format `arn:aws:kms:::key/`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)." - - name: Should fail to create AWS KMS with empty region + type: Manual + name: some..name + expectedError: "name must be a safe socket filename (must not contain '/' or '..')" + - name: Should not allow kms config with encrypt aescbc + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: aescbc + kms: + type: Manual + name: my-plugin + expectedError: "kms config is required when encryption type is KMS, and forbidden otherwise" + - name: Should fail to create with an empty KMS config + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: {} + expectedError: "spec.encryption.kms.type: Required value" + - name: Should fail to create KMS AWS with invalid keyARN format initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -109,10 +167,10 @@ tests: kms: type: AWS aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: "" - expectedError: "spec.encryption.kms.aws.region in body should be at least 1 chars long" - - name: Should fail to create AWS KMS with invalid region format + keyARN: invalid-arn-format + region: us-east-1 + expectedError: "keyARN must follow the format" + - name: Should fail to create KMS AWS with invalid region format initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -122,6 +180,6 @@ tests: kms: type: AWS aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: "INVALID-REGION" - expectedError: "region must be a valid AWS region, consisting of lowercase characters, digits and hyphens (-) only." + keyARN: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ab12-cd34-ef56-abcdef123456 + region: INVALID_REGION + expectedError: "region must be a valid AWS region" diff --git a/config/v1/types_kmsencryption.go b/config/v1/types_kmsencryption.go index 3293204fa4e..0a4f7809066 100644 --- a/config/v1/types_kmsencryption.go +++ b/config/v1/types_kmsencryption.go @@ -2,19 +2,33 @@ package v1 // KMSConfig defines the configuration for the KMS instance // that will be used with KMSEncryptionProvider encryption -// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'AWS' ? has(self.aws) : !has(self.aws)",message="aws config is required when kms provider type is AWS, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="(self.type == 'AWS' && has(self.aws)) || (self.type == 'Manual' && has(self.name) && self.name != '')",message="aws config is required when kms provider type is AWS; name is required when kms provider type is Manual" // +union type KMSConfig struct { // type defines the kind of platform for the KMS provider. - // Available provider types are AWS only. + // Available provider types are Manual only. // // +unionDiscriminator // +required Type KMSProviderType `json:"type"` + // name specifies the KMS plugin name. + // This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + // and is between 1 and 80 characters in length. + // The KMS plugin must listen at this socket path. + // This field is required when type is Manual, and forbidden when type is AWS. + // The name must be a safe socket filename and must not contain '/' or '..'. + // + // +kubebuilder:validation:MaxLength=80 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:XValidation:rule="!self.contains('/') && !self.contains('..')",message="name must be a safe socket filename (must not contain '/' or '..')" + // +optional + Name string `json:"name,omitempty"` + // aws defines the key config for using an AWS KMS instance // for the encryption. The AWS KMS instance is managed // by the user outside the purview of the control plane. + // Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. // // +unionMember // +optional @@ -22,6 +36,7 @@ type KMSConfig struct { } // AWSKMSConfig defines the KMS config specific to AWS KMS provider +// Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. type AWSKMSConfig struct { // keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. // The value must adhere to the format `arn:aws:kms:::key/`, where: @@ -46,10 +61,15 @@ type AWSKMSConfig struct { } // KMSProviderType is a specific supported KMS provider -// +kubebuilder:validation:Enum=AWS +// +kubebuilder:validation:Enum=AWS;Manual type KMSProviderType string const ( // AWSKMSProvider represents a supported KMS provider for use with AWS KMS + // Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. AWSKMSProvider KMSProviderType = "AWS" + + // ManualKMSProvider represents a supported KMS provider is managed by user manually not by OpenShift. + // KMS plugin is supposed to be run as static pods on each control plane + ManualKMSProvider KMSProviderType = "Manual" ) diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index f4416bf9b3c..884bf431462 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,21 +207,37 @@ spec: - keyARN - region type: object + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + This field is required when type is Manual, and forbidden when type is AWS. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not contain + '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are Manual only. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' + - message: aws config is required when kms provider type is AWS; + name is required when kms provider type is Manual + rule: (self.type == 'AWS' && has(self.aws)) || (self.type == + 'Manual' && has(self.name) && self.name != '') type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index bfeefa11f36..b97ac3e1af3 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,21 +207,37 @@ spec: - keyARN - region type: object + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + This field is required when type is Manual, and forbidden when type is AWS. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not contain + '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are Manual only. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' + - message: aws config is required when kms provider type is AWS; + name is required when kms provider type is Manual + rule: (self.type == 'AWS' && has(self.aws)) || (self.type == + 'Manual' && has(self.name) && self.name != '') type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index a49976e0dfd..34aedde742f 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,21 +207,37 @@ spec: - keyARN - region type: object + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + This field is required when type is Manual, and forbidden when type is AWS. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not contain + '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are Manual only. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' + - message: aws config is required when kms provider type is AWS; + name is required when kms provider type is Manual + rule: (self.type == 'AWS' && has(self.aws)) || (self.type == + 'Manual' && has(self.name) && self.name != '') type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index a3919b9a489..d2c3cda44d1 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,21 +207,37 @@ spec: - keyARN - region type: object + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + This field is required when type is Manual, and forbidden when type is AWS. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not contain + '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are Manual only. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' + - message: aws config is required when kms provider type is AWS; + name is required when kms provider type is Manual + rule: (self.type == 'AWS' && has(self.aws)) || (self.type == + 'Manual' && has(self.name) && self.name != '') type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index b2d021729be..61e5142763d 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -2326,7 +2326,7 @@ func (Storage) SwaggerDoc() map[string]string { } var map_AWSKMSConfig = map[string]string{ - "": "AWSKMSConfig defines the KMS config specific to AWS KMS provider", + "": "AWSKMSConfig defines the KMS config specific to AWS KMS provider Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", "keyARN": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", "region": "region specifies the AWS region where the KMS instance exists, and follows the format `--`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.", } @@ -2337,8 +2337,9 @@ func (AWSKMSConfig) SwaggerDoc() map[string]string { var map_KMSConfig = map[string]string{ "": "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", - "type": "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", - "aws": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", + "type": "type defines the kind of platform for the KMS provider. Available provider types are Manual only.", + "name": "name specifies the KMS plugin name. This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock and is between 1 and 80 characters in length. The KMS plugin must listen at this socket path. This field is required when type is Manual, and forbidden when type is AWS. The name must be a safe socket filename and must not contain '/' or '..'.", + "aws": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", } func (KMSConfig) SwaggerDoc() map[string]string { diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index dbe2b5b3857..d1d254b265d 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -9174,7 +9174,7 @@ func schema_openshift_api_config_v1_AWSKMSConfig(ref common.ReferenceCallback) c return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AWSKMSConfig defines the KMS config specific to AWS KMS provider", + Description: "AWSKMSConfig defines the KMS config specific to AWS KMS provider Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "keyARN": { @@ -16148,15 +16148,22 @@ func schema_openshift_api_config_v1_KMSConfig(ref common.ReferenceCallback) comm Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", + Description: "type defines the kind of platform for the KMS provider. Available provider types are Manual only.", Default: "", Type: []string{"string"}, Format: "", }, }, + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name specifies the KMS plugin name. This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock and is between 1 and 80 characters in length. The KMS plugin must listen at this socket path. This field is required when type is Manual, and forbidden when type is AWS. The name must be a safe socket filename and must not contain '/' or '..'.", + Type: []string{"string"}, + Format: "", + }, + }, "aws": { SchemaProps: spec.SchemaProps{ - Description: "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", + Description: "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", Ref: ref("github.com/openshift/api/config/v1.AWSKMSConfig"), }, }, @@ -16169,7 +16176,8 @@ func schema_openshift_api_config_v1_KMSConfig(ref common.ReferenceCallback) comm map[string]interface{}{ "discriminator": "type", "fields-to-discriminateBy": map[string]interface{}{ - "aws": "AWS", + "aws": "AWS", + "name": "Name", }, }, }, diff --git a/openapi/openapi.json b/openapi/openapi.json index 97afd57f431..82f131e8a67 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -4454,7 +4454,7 @@ ] }, "com.github.openshift.api.config.v1.AWSKMSConfig": { - "description": "AWSKMSConfig defines the KMS config specific to AWS KMS provider", + "description": "AWSKMSConfig defines the KMS config specific to AWS KMS provider Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", "type": "object", "required": [ "keyARN", @@ -4572,6 +4572,19 @@ } } }, + "com.github.openshift.api.config.v1.AcceptRisk": { + "description": "AcceptRisk represents a risk that is considered acceptable.", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "description": "name is the name of the acceptable risk. It must be a non-empty string and must not exceed 256 characters.", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1.AdmissionConfig": { "type": "object", "properties": { @@ -5859,6 +5872,18 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.ClusterVersionCapabilitiesStatus" }, + "conditionalUpdateRisks": { + "description": "conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. The risk names in the list must be unique. conditionalUpdateRisks must not contain more than 500 entries.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ConditionalUpdateRisk" + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, "conditionalUpdates": { "description": "conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.", "type": "array", @@ -6066,6 +6091,15 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.Release" }, + "riskNames": { + "description": "riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. Entries must be unique and must not exceed 256 characters. riskNames must not contain more than 500 entries.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "set" + }, "risks": { "description": "risks represents the range of issues associated with updating to the target release. The cluster-version operator will evaluate all entries, and only recommend the update if there is at least one entry and all entries recommend the update.", "type": "array", @@ -6092,6 +6126,18 @@ "matchingRules" ], "properties": { + "conditions": { + "description": "conditions represents the observations of the conditional update risk's current status. Known types are: * Applies, for whether the risk applies to the current cluster. The condition's types in the list must be unique. conditions must not contain more than one entry.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, "matchingRules": { "description": "matchingRules is a slice of conditions for deciding which clusters match the risk and which do not. The slice is ordered by decreasing precedence. The cluster-version operator will walk the slice in order, and stop after the first it can successfully evaluate. If no condition can be successfully evaluated, the update will not be recommended.", "type": "array", @@ -8499,11 +8545,15 @@ ], "properties": { "aws": { - "description": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", + "description": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", "$ref": "#/definitions/com.github.openshift.api.config.v1.AWSKMSConfig" }, + "name": { + "description": "name specifies the KMS plugin name. This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock and is between 1 and 80 characters in length. The KMS plugin must listen at this socket path. This field is required when type is Manual, and forbidden when type is AWS. The name must be a safe socket filename and must not contain '/' or '..'.", + "type": "string" + }, "type": { - "description": "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", + "description": "type defines the kind of platform for the KMS provider. Available provider types are Manual only.", "type": "string", "default": "" } @@ -8512,7 +8562,8 @@ { "discriminator": "type", "fields-to-discriminateBy": { - "aws": "AWS" + "aws": "AWS", + "name": "Name" } } ] @@ -11590,6 +11641,18 @@ "description": "Update represents an administrator update request.", "type": "object", "properties": { + "acceptRisks": { + "description": "acceptRisks is an optional set of names of conditional update risks that are considered acceptable. A conditional update is performed only if all of its risks are acceptable. This list may contain entries that apply to current, previous or future updates. The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. acceptRisks must not contain more than 1000 entries. Entries in this list must be unique.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.AcceptRisk" + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, "architecture": { "description": "architecture is an optional field that indicates the desired value of the cluster architecture. In this context cluster architecture means either a single architecture or a multi architecture. architecture can only be set to Multi thereby only allowing updates from single to multi architecture. If architecture is set, image cannot be set and version must be set. Valid values are 'Multi' and empty.", "type": "string", @@ -11624,7 +11687,7 @@ ], "properties": { "acceptedRisks": { - "description": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", + "description": "acceptedRisks records risks which were accepted to initiate the update. For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", "type": "string" }, "completionTime": { diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index f4416bf9b3c..884bf431462 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,21 +207,37 @@ spec: - keyARN - region type: object + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + This field is required when type is Manual, and forbidden when type is AWS. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not contain + '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are Manual only. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' + - message: aws config is required when kms provider type is AWS; + name is required when kms provider type is Manual + rule: (self.type == 'AWS' && has(self.aws)) || (self.type == + 'Manual' && has(self.name) && self.name != '') type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index bfeefa11f36..b97ac3e1af3 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,21 +207,37 @@ spec: - keyARN - region type: object + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + This field is required when type is Manual, and forbidden when type is AWS. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not contain + '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are Manual only. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' + - message: aws config is required when kms provider type is AWS; + name is required when kms provider type is Manual + rule: (self.type == 'AWS' && has(self.aws)) || (self.type == + 'Manual' && has(self.name) && self.name != '') type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index a49976e0dfd..34aedde742f 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,21 +207,37 @@ spec: - keyARN - region type: object + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + This field is required when type is Manual, and forbidden when type is AWS. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not contain + '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are Manual only. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' + - message: aws config is required when kms provider type is AWS; + name is required when kms provider type is Manual + rule: (self.type == 'AWS' && has(self.aws)) || (self.type == + 'Manual' && has(self.name) && self.name != '') type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer.